| 1 |
Hi, everyone. |
| 2 |
|
| 3 |
As an experimental feature the current git version of gemato tries to |
| 4 |
use WKD [1] to update keys by default. I'd like to request your opinion |
| 5 |
on this and possibly a review of my implementation [2]. |
| 6 |
|
| 7 |
The problem being solved: currently gemato (and Portage via its API) |
| 8 |
refreshes keys from keyservers before every sync. We do this to ensure |
| 9 |
that we catch a possible key revocation before a compromised key could |
| 10 |
be used to inject malicious data. Sadly, keyservers are far from |
| 11 |
stable, and users are repeatedly having problems fetching keys from |
| 12 |
them. |
| 13 |
|
| 14 |
While debating a related problem within Infra (Infra servers failing |
| 15 |
while updating developer keys) we weren't able to find a satisfactory |
| 16 |
solution involving use of keyservers. It has been suggested that it |
| 17 |
might be an actual problem with keyserver software rather than |
| 18 |
the common network/load problems. |
| 19 |
|
| 20 |
Therefore, I came to the conclusion that using HTTPS would probably be |
| 21 |
the best way to distribute key updates. The WKD protocol whose |
| 22 |
existence has been brought to my attention recently seemed a good fit |
| 23 |
for the job, especially that I've already implemented it on Gentoo |
| 24 |
Infrastructure. However, since GnuPG only implements WKD use for key |
| 25 |
discovery and not key updates, I had to extend on the features provided. |
| 26 |
|
| 27 |
|
| 28 |
In order to perform key update using WKD gemato, in order: |
| 29 |
|
| 30 |
1. Imports the provided keyring into a dedicated GNUPGHOME. |
| 31 |
|
| 32 |
2. Obtains fingerprints and UIDs of all keys present in that keyring. |
| 33 |
|
| 34 |
3. Uses 'gpg --locate-key' in a separate dedicated GNUPGHOME to fetch |
| 35 |
keys via WKD for all UIDs found. |
| 36 |
|
| 37 |
4. Exports appropriate keys (by fingerprint) from the WKD keyring |
| 38 |
and verifies that all keys were actually available via WKD. |
| 39 |
|
| 40 |
5. Imports those keys to the original GNUPGHOME. |
| 41 |
|
| 42 |
Failure on any of those steps results in the WKD update being considered |
| 43 |
unsuccessful and a fallback to keyserver update. This includes |
| 44 |
the cases when: |
| 45 |
|
| 46 |
a. at least one of the UIDs found on provided keys is not available |
| 47 |
via WKD, |
| 48 |
|
| 49 |
b. at least one of the keys provided was not fetched via WKD (i.e. UID |
| 50 |
provided a disjoint set of keys). |
| 51 |
|
| 52 |
Currently, WKD update method ignores keys for UIDs that were not present |
| 53 |
in the initial keyring. This means to match the behavior with keyserver |
| 54 |
updates, and avoid introducing potential attack vectors. |
| 55 |
|
| 56 |
|
| 57 |
I believe that the implementation provides the same level of security |
| 58 |
as keyserver-based updates. WKD uses HTTPS just like HKPS -- however, |
| 59 |
the connection is established to one of Gentoo WWW nodes rather than |
| 60 |
an arbitrary keyserver. WKD is being updated from keyservers, so it |
| 61 |
provides consistent information (with 1-2 hours of extra lag). |
| 62 |
|
| 63 |
The keys are identified by fingerprints, so even if an attacker is able |
| 64 |
to replace the WKD file with an arbitrary key, gemato will ignore it as |
| 65 |
mismatched fingerprint. Finally, if WKD does not provide all the needed |
| 66 |
keys, gemato considers the update unsuccessful. This especially means |
| 67 |
that if a revoked key is removed from WKD, gemato will find |
| 68 |
the revocation via keyservers. |
| 69 |
|
| 70 |
Attacks based on blocking access to the WKD servers will only result |
| 71 |
in fallback to keyservers. Blocking access to keyservers will result |
| 72 |
in gemato reporting a failure. Replay attacks are prevented by using |
| 73 |
HTTPS. |
| 74 |
|
| 75 |
|
| 76 |
Does this look good to you? Is there anything I've missed? |
| 77 |
|
| 78 |
|
| 79 |
[1]:https://wiki.gnupg.org/WKD |
| 80 |
[2]:https://github.com/mgorny/gemato/commit/909390c25a0ab589a4ae10d20cb9e321a51163b2 |
| 81 |
|
| 82 |
-- |
| 83 |
Best regards, |
| 84 |
Michał Górny |
Archives